First published 29 April 2026
CVSS:3.1: 6.8 (Medium)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A security vulnerability has been found in a reset to factory defaults method in IGEL OS. This affects the following product versions:
-
IGEL OS 12
-
IGEL OS 11
Details
IGEL OS offers a local method to reset all settings to factory defaults even without knowing the root password. The procedure involves sending a string to IGEL Customer Care and receiving a valid reset key. The cryptographic method to produce the reset key has been found to be insecure; a tool to produce such a key is available on the Internet. This vulnerability would allow a local attacker to reset an IGEL OS device to which they have physical access without the root password. They could make the device unusable or employ it to trick users. IGEL rates this issue as medium.
IGEL is removing the affected feature. IGEL OS devices can still be reset from UMS.
Update Instructions
-
OS 12: Upgrade to IGEL OS 12.8.0.
-
OS 11: Upgrade to IGEL OS 11.11.150 as soon as it is available.